Sniffing ISO15693 RFID iCLASS SE transactions on a 13.56MHz carrier using a PicoScope 3204A and an OpenPICC SnifferOnly frontend.

Introduction

OpenPCD is an open source and open hardware project around Near Field Communication (NFC), RFID reader, writer & emulator hardware for 13,56MHz. Our devices are able to sniff data from HF RFID cards (13.56Mhz Proximity Integrated Circuit Cards, PICC) conforming to vendor-independent standards such as ISO 14443 (DESfire, new electronic passports etc.), ISO 15693 as well as undocumented and proprietary protocols such as Mifare Classic and iCLASS.

The intention of the OpenPCD project is to offer the users full hardware control of the RFID signal and to provide various output signals for screening the communication. With already existing Free Software from the libNFC project for implementing the PCD side protocol stack of various RFID protocols, this project will happily extend the free toolchain around RFID security research & verification.

HID iCLASS demystified

In our talk at the 27C3 in Berlin we disclosed our security research on HID iCLASS RFID cards. This cards were not publicly documented yet, so we describe our approach in analyzing an unknown RFID system. Our most important discovery was that iCLASS Standard Security cards can be easily read and copied with low cost consumer USB RFID readers due to the fact that the same two keys were used world-wide for all iCLASS Standard Security installations. An in-depth description of our security analysis can be found at our HID iClass demystified page and in our white paper Heart of Darkness - exploring the uncharted backwaters of HID iCLASS security.

License

The hardware design has been released under a CC attribution share-alike license, the reader firmware and drivers (librfid glue code, plus some extras) have been released under GNU/GPL. You can find both at our download page. Your participation is welcomed in our OpenPCD Subversion repository and our Wiki.

Design and SDK are available under non-open license types upon request alternatively to the OpenSource licenses provided here.

History

The projects prehistory started in May 2005 with Harald and Milosch working in the lab of the CCC-Berlin on different ways to passive receive and demodulate RFID signals. The RFID tag responds to the RFID reader by using the transmitted 13,56MHz carrier signal as a power supply and modulates the carrier with a 847.5kHz subcarrier by load modulation according to its contained informations. With further knowledge of how to downmix the incoming signal to make filtering with common filter possible before amplify the signal, a hardware (rfiddump.org) was designed to simulate the RFID transponder. Brita got involved with the HF PCB layout for the RFID Mini Sniffer and trials with different antennas.

In a one hour presentation at the 22C3 (Chaos Communication Congress December 2005 in Berlin) Harald and Milosch first public announced the project. Harald covered the technical background about the RFID technology, the ICAO MRTD specification, and his efforts to develop a free software protocol stack. Milosch described the current progress in developing hardware and software defined radio based passive sniffing of the RFID radio interface.

Meanwhile Harald launched the project OpenMRTD, which provides a free (GPL) toolset for reading and verifying various RFID protocols from MRTDs (Machine Readable Travel Documents). As part of this project the Free Software RFID library 'librfid' implements the RFID reader side protocol stack of ISO 14443 A, ISO 14443 B, ISO 15693, Mifare Ultralight and Mifare Classic. In order to use these free tools, users still have to rely on commercial and closed hardware readers with their limitations and faults.

To fill this gap in the free toolchain for verifying RFID protocols, this project tries to develop a free hardware design of an RFID reader with free firmware (which either works with librfid on the host PC, or runs librfid in the reader). The first prototype of the OpenPCD free RFID reader is still under testing but already offers the basic functionality of reading different RFID cards/transponder and transmitting freely modulated signals.

Team

From left to right: Milosch Meriac, Brita Meriac, Harald Welte

Harald Welte is a long-term supporter and active member of the Free Software community. His expertise in Linux Kernel development and networking security made him Chairman of the netfilter coreteam. He's one of the principal authors of the Linux 2.4+Kernel Packetfilter, securing virtually every linux installation. As manager of hmw-consulting in Berlin Harald Welte is offering professional consulting, development and training in the fields of networking security, Linux kernel development and embedded Linux.

Milosch Meriac is a freelance hard & software developer/consultant with a broad range of experience in software engineering and hardware development. His focus is on deeply embedded systems, hardware development, embedded linux, lowlevel programming, realtime, IT-security and reverse engineering. He was part of the coreteam at the Xbox Linux project which did the GNU/Linux porting process to the Xbox gaming system. Milosch Meriac provides custom-tailored hard- and software developments and consulting through Bitmanufaktur GmbH in Berlin.

Brita Meriac (formerly known as Brita Rausch ;-)) is working in the field of electronic design. At Bitmanufaktur GmbH she is creating electronic designs and PCB layouts.

Further help on this project is very much appriciated. Please feel free to contact us via email.